malwarewikiaorg-20200223-history
XeroWare
XeroWare is a ransomware that runs on Microsoft Windows. It is supposedly based on WannaCry except even better. It is part of the HiddenTear family. It is aimed at English-speaking users. As of 2020, XeroWare is still available. XeroWare is made to work with the latest Windows 10 build, but also comes with hundreds of backdoors that apply to previous versions and Windows XP, 7, and 8. Behavior XeroWare is able to run on multiple devices at the same time. Payload Transmission XeroWare is distributed by hacking through an insecure RDP configuration, using email spam and malicious attachments, deceptive downloads, botnets, exploits, web injects, fake updates, repackaged and infected installers. Infection XeroWare starts the process as soon as the user executes the malicious file (a pdf exploit for example), and works its way from the most important user files, images, documents, videos, settings & save files, plugins etc. XeroWare will first assess the target system, and identify the proper backdoor depending on the system version. If the currently known vulnerable backdoor is not allowed to execute, the ransomware will start trying to work through numerous other vulnerabilities depending on the system version. It will then use RSA encryption to encrypt all the user's files. It targets the following file extensions: .ebd, .jbc, .pst, .ost, .tib, .tbk, .bak, .bac, .abk, .as4, .asd, .ashbak, .backup, .bck, .bdb, .bk1, .bkc, .bkf, .bkp, .boe, .bpa, .bpd, .bup, .cmb, .fbf, .fbw, .fh, .ful, .gho, .ipd, .nb7, .nba, .nbd, .nbf, .nbi, .nbu, .nco, .oeb, .old, .qic, .sn1, .sn2, .sna, .spi, .stg, .uci, .win, .xbk, .iso, .htm, .html, .mht, .p7, .p7c, .pem, .sgn, .sec, .cer, .csr, .djvu, .der, .stl, .crt, .p7b, .pfx, .fb, .fb2, .tif, .tiff, .pdf, .doc, .docx, .docm, .rtf, .xls, .xlsx, .xlsm, .ppt, .pptx, .ppsx, .txt, .cdr, .jpe, .jpg, .jpeg, .png, .bmp, .jiff, .jpf, .ply, .pov, .raw, .cf, .cfn, .tbn, .xcf, .xof, .key, .eml, .tbb, .dwf, .egg, .fc2, .fcz, .fg, .fp3, .pab, .oab, .psd, .psb, .pcx, .dwg, .dws, .dxe, .zip, .zipx, .7z, .rar, .rev, .afp, .bfa, .bpk, .bsk, .enc, .rzk, .rzx, .sef, .shy, .snk, .accdb, .ldf, .accdc, .adp, .dbc, .dbx, .dbf, .dbt, .dxl, .edb, .eql, .mdb, .mxl, .mdf, .sql, .sqlite, .sqlite3, .sqlitedb, .kdb, .kdbx, .1cd, .dt, .erf, .lgp, .md, .epf, .efb, .eis, .efn, .emd, .emr, .end, .eog, .erb, .ebn, .ebb, .prefab, .jif, .wor, .csv, .msg, .msf, .kwm, .pwm, .ai, .eps, .abd, .repx, .oxps, .dot. XeroWare will make the damaged files no longer recoverable, and they will be renamed with the file extension '.XERO' added to their names. A short time after the encryption has begun, the screen message shows up, informing the user about the steps to take in order to decrypt the files. The ransom note saids the following: Your files have been encrypted and your computer has been infected with XeroWare Ransom 1.2. 1) What Should I do? A: Pay the specific amount we are asking from you in order to decrypt your files. 2) Can i try to remove the malware? A: If you try anything your files will be removed, YOU have been WARNED. 3) How can i pay in order to decrypt my files ? A: Copy the provided btc address and send the money. 4) How do i verify my payment? A: You provide the payment transaction ID and you click confirm transaction. 5) What will happen if the payment transaction is not valid? A: If you try to provide anything alike to fake or not valid your files will be destroyed permanently. 6) I have paid and verified my transaction how do i decrypt my files? A: If you have paid and verified your transaction just simply click the decrypt button and everything will revert back to normal. You have 96 hours in order to complete that task, otherwise your files will be destroyed. Time has already started… The only module of XeroWare that requires an internet connection is the verification of the bitcoin payment, and it’s automated, listening for the wallet that is configured. After verifying the payment, XeroWare will automatically start decrypting the user's files, unless it has stated otherwise in the settings of the builder. Category:Assembly Category:Ransomware Category:Win32 ransomware Category:Win32 Category:Win32 trojan Category:Microsoft Windows Category:Trojan